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Abstract. In recent years, mixed integer linear programming (MILP, in 

short) gradually becomes a popular tool of automated cryptanalyses in 

symmetric ciphers, which can be used to search differential characteris- 
C9 tics and linear approximations with high probability/correlation. A key 
problem in the MILP method is how to build a proper model that can be 
solved efficiently in the MILP solvers like Gurobi or Cplex. It is known 
that a MILP problem is NP-hard, and the numbers of variables and in- 
equalities are two important measures of its scale and time complexity. 
Whilst the solution space and the variables in many MILP models built 
for symmetric cryptanalyses are fixed without introducing dummy vari- 
ables, the cardinality, i.e., the number of inequalities, is a main factor 
that might affect the runtime of MILP models. We notice that the norm 
of a MILP model, i.e., the maximal absolute value of all coefficients in its 
inequalities, is also an important factor affecting its runtime. In this work 
we will illustrate the effects of two parameters cardinality and norm of 
inequalities on the runtime of Gurobi by a large number of cryptanalysis 
experiments. Here we choose the popular MILP solver Gurobi and view 
it a black box, construct a large number of MILP models with different 
cardinalities or norms by means of differential analyses and impossible 
differential analyses for some classic block ciphers with SPN structure, 
and observe their runtimes in Gurobi. As a result, our experiments show 
that although minimizing the number of inequalities and the norm of 
coefficients might not always minimize the runtime, it is still a better 
choice in most situations. 


Keywords: Automated cryptanalysis - Mixed integer linear programming - Full 
linear integer inequality characterization - Cardinality - Norm 


1 Introduction 


Mixed integer linear programming (MILP, in short) is a crucial optimization 
problem in operational research. It is a class of NP-hard problems whose goal 
is to minimize/maximize a linear objective function under linear constraints. As 
an effective mathematical modeling method to solve complex optimization tasks, 


MILP is widely used to solve various problems such as the assignment problem 
[1], production and distribution planning [2], optimal power flow problem [8], 
and cryptanalysis [4]. 

Differential analysis and linear analysis [6] are two of the most impor- 
tant cryptanalyses in block ciphers, the core of them is to search for differen- 
tial/linear trails with high probabilities/correlations to construct distinguishers 
or accomplish key recovery attacks. There are many effective variants of dif- 
ferential analysis and linear analysis such as truncated differential attack [7], 
related-key differential attack [8], impossible differential attack [9] and zero cor- 
relation attack [10]. Over the past decade years, MILP has become one of the 
most widely used tools in automated search algorithms that can effectively search 
for differential/linear trails with high probability /correlation. 


The MILP-based method was first introduced into differential and linear 
analysis by Mouha et al. [4] to search the minimal number of active S-boxes. 
Later Sun et al. [II] extended the previous method to S-bP structures. In another 
work, Sun et al. [I2] proposed an automatic method for evaluating the security 
of bit-oriented block ciphers against the (related-key) differential attack. After 
that, the MILP-based method has become more widely used. In [13], Fu et al. 
proposed a MILP-based method for searching differential characteristics and 
linear approximations for ARX ciphers. Combining the correlation of a quadratic 
Boolean function based on its disjoint quadratic form, Shi et al. [14] derived a 
MILP problem from a generic model for MORUS-like keystream generators and 
determined the correlations of linear trails of MiniMORUS and MORUS. MILP- 
based methods could also be used to search zero-correlation distinguishers [15] 
and impossible differential distinguishers [I6]. 


Besides, the MILP-based method also has many applications in other crypt- 
analyses. In 2009, the MILP method was applied to solve a sparse system of 
quadratic equations and presented a numerical attack on some reduced versions 
of Trivium [I7]. Albrecht and Cid [18] proposed a new algorithm to solve a set 
of nonlinear algebraic equations derived from cold boot attacks by constructing 
MILP models in 2011. Later, Walter et al. optimized guessing strategies for 
algebraic cryptanalysis on the block cipher EPCBC with MILP models in 2013. 
Xiang et al. [20] translated the propagation of division property into a MILP 
problem and searched integral distinguishers. By modeling the division trails 
with MILP, the superpoly could be recovered in cube attacks [21]. In 2020, Cen 
et al. proposed a new method to solve the minimizing problem of deduc- 
tion systems based on MILP to search the optimal trail of guess and determine 
analysis. 


In summary, MILP has gradually become a powerful tool for automated 
cryptanalyses in symmetric ciphers, and further exploration of the MILP prob- 
lem has recently become a hot topic in cryptography. In MILP-based automated 
cryptanalyses, the common and crucial problem is the efficiency of solving tar- 
get models. There are many mature solvers for MILP problems, such as Gurobi 
[23], Cplex [24], and Minisat [25]. Among them, the Gurobi optimizer is one of 
the best-performing commercial solvers for MILP problems, which is also used 


for experiments in this paper. However, the internal algorithms of Gurobi are 
not opened in detail, and users can not figure out which model is more efficient 
before calling Gurobi to solve it. Therefore how to construct an effective model 
for Gurobi attracted more and more attentions from researchers in recent years. 

In general, a MILP model has two main parameters that determine the scale 
of the problem: the number of variables and the number of inequalities. As an 
NP-Hard problem, the dominant view is that the smaller the scale, the easier 
it is to solve. As for MILP models built for automated cryptanalyses in most 
cases, the values of variables are limited in Z2, and the coefficients of inequalities 
are restricted to Z. Furthermore, for a same cryptanalytic object, the solution 
space and the number of variables of its corresponding MILP models are usually 
the same when no dummy variables are introduced. Consequently, the main 
difference for models of the same cryptanalysis is the number of inequalities, 
which will be called the cardinality of the inequality set later. 

In the previous work, researchers always tended to reduce the number of 
inequalities to improve the efficiency of the model. However, this assertion was 
lack of experimental and theoretical support. In [26], Todo and Sasaki claimed 
that the folklore “minimizing the number of inequalities minimizes the runtime” 
is not always correct. They ran experiments with various numbers of inequali- 
ties to check how the number of inequalities is related to the runtime of MILP 
models. In addition, many other parameters also have effects on the efficiency 
of the solution: Li et al. presented the influences between the construction 
and solution of MILP models solved by Gurobi, and considered the number of 
variables and constraints and the order of constraints and variables. Besides, ac- 
cording to some experimental results, we found that the maximal absolute value 
of all coefficients in inequalities, which will be called the norm later, also has a 
significant influence on the efficiency of the model. 

In this paper, our main goal is to illustrate the effect of the norm and cardi- 
nality of MILP models on the runtime of Gurobi by conducting a large number 
of cryptanalysis experiments. 


1.1 Related Work 


There were lots of works to construct efficient models by reducing the number 
of inequalities to characterize a given set S C Z3. In 2014, Sun et al. com- 
puted the H-representation of the convex hull of S with the mathematical soft- 
ware SAGE [29], then a greedy algorithm was applied to remove the redundancy 
and select as few inequalities as possible. Abdelkhalek et al. [30] constructed 
inequalities by logical conditions and converted the problem into a problem of 
minimizing the product-of-sum representation of Boolean functions to get fewer 
inequalities. Based on the Set Covering Problem (SCP, in short), Todo and Sasaki 
[16] proposed a MILP model to select the minimal number of inequalities from a 
given candidate set. In 2019, Li et al. proposed a new way to construct inequal- 
ities from a lower dimensional case. Using the inequalities obtained through the 
previous methods, they obtained fewer inequalities than before for larger dimen- 
sional cases. Based on the algebraic and geometric structure of sets, Boura et al. 


further reduced the number of inequalities to characterize a given set. By 
adding up inequalities in the candidate set and selecting inequalities using the 
SCP-based method, they characterized sets with fewer inequalities for n < 10. 
For larger n, a new structure of points in S that could be cut by the same 
inequality was explored, and better results were obtained. Later, properties of 
S that can be characterized by only one linear inequality were further studied. 
Udovenk and Sun respectively proposed new algorithms and updated 
the results of the previous work. Independently with Udovenk [32] and Sun [33], 
by exploring properties of plain sets such as type, sparsity, degeneration, order, 
minimal and maximal element, Feng et al. [34] established a complete theoretical 
system to solve the problem of fully characterizing a given set with the mini- 
mal number of inequalities. They provided a algorithm of enumerating all plain 
closures for a give S-box, which supports point sets with high dimension up to 
18 and is the fastest at present. They first obtained all plain closures of many 
common S-Boxes used in block ciphers. As for the MILP characterizations of 
many common S-Boxes, all results they got are the best at present. Particularly, 
their results are far better than the previous in the high dimensional cases. 

With regard to the norm of inequality sets, since the logical condition method 
adopted the idea of the representations of Boolean functions, norms were limited 
to a small range and could not be changed. Meanwhile, inequalities constructed 
by the convex-hull-based method usually had larger norms and could not be 
controlled by users. In [34], Feng et al. proposed a method to find the minimal 
norm based on theoretical research and realized the complete control of the 
norm, which led to the reduction of model-solving time. 


1.2 Our Contributions 


In this paper, we concentrate on the number of inequalities and the maximal 
absolute value of their coefficients in a full linear integer inequality characteri- 
zation and construct a large number of experiments to explore the relationship 
between these two factors and the runtime of the MILP model. 

First of all, we propose a MILP model to check whether a given set can 
be characterized by a linear inequality with coefficients in a given range. Based 
on this algorithm and the idea of binary search, a new algorithm to find an 
equivalent inequality of a given inequality with the minimal norm is proposed. 
Moreover, we also provide an algorithm to select a FLIIC with a given cardinality 
from the candidate set. 

Based on the discussion of the norm and cardinality, we characterize basic 
components of block ciphers with equivalent inequality sets whose norms and 
cardinalities are different. Then we construct a large number of experiments and 
compare the runtimes of models to explore the effect of the norm and cardinality. 

From the results of our experiments, it makes sense to say that reducing the 
scale of the model is helpful, although this assertion may not always be accurate. 
In the case that the relationship between the modeling method and the runtime 
cannot be thoroughly studied, the characterization with the minimal norm and 


cardinality is a better choice in general. The source codes and results of this pa- 
per are available at https://gitee.com/ShelwinXu/on-two-factors-affecting-the- 
efficiency-of-milp-models-in-automated-cryptanalyses-code.git. 


1.3 Organization 


The rest of the paper is organized as follows: some preliminaries and notations 
are given in Section |2| In Section |3| new algorithms to control the norm and 
cardinality of inequality sets are proposed as the theoretical basis of the exper- 
iment. Finally, in Section |4| a large number of experiments are conducted to 
study the effect of the norm and cardinality on the runtime of the model. 


2 Preliminaries 


In this section we will give a brief overview of notations and definitions used in 
this paper. Table [i] lists parts of notations. 


Table 1. The notations used throughout the paper 


Notation Description 
n A positive integer 
Z The set of all integers 
R The set of all real numbers 
Z2 The set {0,1} 
Za The set of all n-tuples over Z2, i.e., {0,1}” 
wt (x) Hamming weight of x 
ei An n-bit unit whose i-th element is 1 and others are 0 
ry Bitwise XOR between x and y 
S A subset of Z3 
S The complementary set of S in Z3 
n-1 
l: So aiai > b A linear inequality whose coefficients are integers 
i=0 
n—1 
(do, @1,°** ,@n—1, 6) The linear inequality ` aixi > b 


i=0 


n=l 
L = {lilli : X aij; > bi} A set of inequalities whose coefficients are integers 
j= 


2.1 MILP Models and Full Characterization 


MILP is a fundamental method of finding the maximal or minimal value of a 
linear objective function whose variables are subjected to certain linear con- 
straints (linear inequalities) and has been widely used in operations research, 
graph theory, computational geometry, etc [85]. A MILP problem usually con- 
sists of three parts: objective function, linear constraints and variables. It can 


be formally stated as follows: given A € R™*%",b € R” and c,---,c, E R, 
find « € Z* x R°-* C R” with Ax < b such that cpr + cotg +--+ + Cy tn is 
maximized or minimized, where R and Z are the sets of all real numbers and all 
integers respectively. Linear constraints are a set of linear inequalities which can 
be writen as: 


1101 +e + alanin Z by, 
42121 H + 42.7% Z bo, 


Am,1T1 ae? oe Amntn > bm. 

In most MILP-based cryptanalyses, the variable x; is usually set as a binary 
variable, that is, the value is limited in Z2, and elements in the coefficient matrix 
A corresponding to the constraint conditions are restricted to Z. In the MILP 
model, the objective function can be set as maximization/minimization, or be 
omitted. When the model does not have an objective function, the output result 
is a feasible solution or no solution. 

To construct MILP models for the cryptanalytic algorithm, attackers need 
to characterize basic components of ciphers by linear integer inequalities. By 
ensuring the solution space of these linear integer inequalities is the solution 
required for cryptanalyses, attackers can perform automated cryptanalyses by 
solving the MILP model. This kind of modeling method is called the full linear 
integer inequality characterization. 


Definition 1 (FLIIC). Let S C Z} and L be a set of linear integer inequalities: 


ao, ozo + A9,1%1 ++++ + 40n-1%n—-1 + bo = 0, 
41,0%0 T 41,121 s+ + G1 n-1£n-1 + bi > 0, 


(1) 


AQm—1,0L0 + Am—1,1%1 + +++ + Am—1,n—-1En—-1 + bm-1 = 0, 
where a; j and b; are integers forO <i<m—1,0<j <n—-1. L is called a full 
linear integer inequality characterization (FLIIC, in short) of S if the solution 
set of L on Z5 is S exactly. We also say L fully characterizes S, and m is called 
the cardinality of L, denoted by |L]. 


We say Lı and L are equivalent if they fully characterize the same set S. 
In particular, l2 is said to be an equivalent inequality of lı if its solution space 
is the same as 1}. 

Define the norm || / || of l as below: 


|| @ ||:= max{|aj|, |b], 0 < i < n- 1}. 


Similarly, let L = {1;|0 < i < m — 1}, and we have Sov(L) = N;&g" Sov(?), 
where Sov(/) means the solution set of the inequality l on Z3. Particularly, if 
L has only one inequality l, we can use l instead of L. The norm || L || of L is 
defined as below: 


|| Z ||:= max{|| l || | 0<i<m-1}. 


In this paper, we will focus on the effect of the norm and cardinality of a 
FLIIC on the efficiency of solving it in Gurobi. 


2.2 Set Covering Problem 


Set Covering Problem has important applications in the MILP-based automated 
search, which is used to choose as few inequalities as possible from the large 
candidate inequality set to assemble a FLIIC for a given set in Z5. First of all, 
a formal description of SCP is provided. 

Suppose M is a given set, denote S as a subset of the power set of U which 
contains n elements whose union is U. SCP is aimed to find a minimal subset of 
S such that their union is equal to U. The specific description is as follows: 
Decision variables: 

4 if s € S is selected; 
Ys = 


0, otherwise. 


Objective function: 
Minimize 5 Ys- 
sES 
Constraint conditions: 
5 Ys > 1,Ve € U; 
s:eEs 


ys € {0,1}, Ys ES. 


The objective function is set as the minimal value of the number of selected 
subsets and the constraint conditions ensure that all elements in U are covered. 

SCP has been proven to be NPC [36], which plays a very important role in 
reducing the scale of models for better characterization in automatic cryptanal- 
yses. Traditional MILP characterization can be divided into two steps: the first 
step is to generate sufficient characterization inequalities for the given set and 
establish a full characterization as a candidate set; the second step is to remove 
redundant inequalities from this candidate set, i.e., select the minimal number of 
inequalities as the final full characterization. The second step can be completely 
converted into an SCP, where the set composed of all infeasible points is the 
target set U, the set of points cut off by each candidate inequality is regarded 
as an element of S, and all the candidate inequalities can be regarded as S. The 
minimal number of inequality characterization can be obtained by selecting the 
minimal subset of S to cover U. According to the definition, SCP is equivalent to 
a MILP which can be solved directly by MILP solvers and get the optimal value. 
This method is efficient for low dimensional sets and can provide a theoretical 
guarantee of optimality. However, due to the large number of candidate inequal- 
ities and infeasible points, the scale of a MILP model corresponding to SCP is 
usually large, and it is very difficult to obtain the optimal solution directly. In 
this case, other methods such as the greedy algorithm and heuristic algorithms 
are often adopted to get better solutions. Although it is difficult to prove the 
optimality theoretically, a good solution can still be obtained by solving an SCP 
for high dimensional sets. 


3 Algorithms to Control the Norm and Cardinality 


In this section, we propose a MILP model M(S,S5,B) to check if S can be 
characterized by a linear inequality l with || / ||< 6 for a given positive integer 
B, and a new algorithm ReducedNorm(l) to find an equivalent inequality of | 
with the minimal norm. ReducedNorm(1) can change coefficients of inequalities 
while keeping the solution space unchanged, which is very important to study the 
effect of the norm of FLIIC on the solving efficiency of the model. Meanwhile, an 
algorithm to select FLIICs of a given cardinality is also provided in this section. 


3.1 Algorithm to Construct a FLIIC with a Specified Range of 
Coefficients 


First, we propose a MILP model M without an objective function to determine 
whether a given set can be characterized by an inequality with coefficients in a 
specified range: 

M(S,5,B) Variables. There are n+1 integer variables in this MILP model, 
a9,41,°°° + An—1, 0. 


M(S,S,B) Bound. These n + 1 variables are all integers and bounded by 
B: 


-B < a; < B,i=0,1,2,--- ,n—1, 
-B<b<B. 


M(S, S, B) Constraints. Since ao, a1,--- ,an—1,b represent the coefficients 
of our target linear inequality characterization of S, we have the following con- 
straints: 


For (£0, %1,+*+ ;2n-1) € S, 
n—1 
5 A,X; = b. 
1=0 
For (yo, 91,°** »Yn—-1) E€ S, 
n—1 
YS ay, < 6-1. 
1=0 


Algorithm [i]is proposed to construct M (S, S, B) and solve it. As a result, if 
M(S, 5, B) is feasible, then we get a FLIIC l of S, where l = (ag, a1, +> ,an—1,b) 
with || 1 ||< B. 


Moreover, we have a basic observation that can be used to construct a FLIIC 
whose norm is just closely to a given value: 


Observation 1 In Gurobi, when there is no objective function, the feasible so- 
lution output by the solver tends to be close to the boundary. 


Algorithm 1 M(S, S, B) 

Input: S,S € IIn, a positive integer B 

Output: n + 1 integers (ao, a1,--- ,@n—1,b) or INFEASIBLE 
1: Declare an empty MILP mode M; 


2: M.Var + a; € [—-B, B],i € {0,1,--- ,n—1}; 

3: M.Var + b € [—B, B]; 

4: for all points (£0, £1,*** ,£&n—1) E S do 

5: M.Con + aozo + a1%1 +++: + an-1£¥n-1—b>0; 
6: end for 

7: for all points (yo, y1,*'* ,Yn—1) € S do 

8: M.Con + aoyo + aryı +`: + Gn-1yn-1 — b < -1; 
9: end for 


10: M.Optimize(); 

11: if M is infeasible then 

12: return INFEASIBLE; 

13: else 

14: return (ao,@1,--- ,@n—1;b); 
15: end if 


For example, while S and S are the same, the solution of M(S, 5,50) is 
lo = (50, —38, 50, 25, —12, 26, 24, 11,0), 
whose norm is 50, and the solution of M(S, S$, 500) is 
lı = (—300, 99, 201, —100, 201, —300, 500, —100, 500), 


whose norm is 500. According to this observation, we can control norms by 
setting different bounds for variables in M. We take the block cipher Present as 
an example, and illustrate the relationship between norms of FLIICs and mean 
absolute values of coefficients generated by this method in Table |2| It can be 
seen that a uniform amplification of the coefficients is achieved and FLIICs with 
different norms can be generated. 


Table 2. The norm and mean value of the coefficients of the FLIIC of Present’s S-box 


Norm 19 50 100 500 1000 5000 10000 50000 
Mean Value | 4.31 | 23.62 | 47.47 | 238.51 | 477.34 | 2387.94 | 4776.14 | 23882.02 


3.2 Algorithm to Obtain a FLIIC with the Minimal Norm 


It is worth mentioning that although it is difficult to quantify the relationship 
between the solving speed of a MILP solver and the norm of inequalities in 
automated search algorithms, people tend to select a smaller norm to make the 
solving speed faster. Therefore, we propose a norm reduction algorithm with 


the help of the MILP solver and the binary search algorithm. With the new 
algorithm, we can find an equivalent one with the minimal norm for a given 
inequality. It also provides a new way to construct a MILP model with a smaller 
scale. Next, we will show how to reduce the norm of linear inequalities in detail. 

For a given linear inequality l : as a,x; > b, the solution set of l is 
computed and denoted as S, the norm of l is denoted as B. We know that the 
model M(5S, S, B) is feasible since (ao, a1, +*+ ,@n—1, b) is a solution of this model. 
ReducedNorm(l) is used to find the minimal Bmin such that M(S,S,Bmin) is 
also feasible. With the idea of the binary search, we turn to check whether the 
model M(S, S, B/2) is feasible. If a feasible solution is returned, then we can find 
an equivalent inequality l’ with || I’ ||< 6/2. Otherwise, we need to compute the 
model M(S, S,3B/4). Repeat the above process, then an equivalent inequality 
of | with the minimal norm can be obtained. The new algorithm needs to call 
the MILP solver O(log(B)) times. For more details, please refer to Algorithm [2| 


Algorithm 2 ReducedNorm(l): Algorithm of reducing the norm of a given 
linear inequality l 


Input: An initial inequality l : ajxzo + aja1 +- +a), an-1 > V. 
Output: An equivalent inequality of l with the minimal norm. 


1: for all points (£0, £1,:-- ,&n—1) E€ Z3 do 

2: if ajro +aizı +: +ah—1£n-1 > b then 
3 S 4+ (z0, £1, ,En—1); 

4 else 

5: S 4 (z0, £1, ,En-1); 

6 end if 

T: end for 

8: low := 0; 


9: high := maz{abs(a;), abs(b'),i = 0,1,- ,n— 1}; 
10: while low < high do 
11: mid = (low + high)/2; 
12: M.Optimize(); 
13: if M(S,S, mid) is feasible then 


14: l’ & the solution of M(S, S, mid); 
15: high = mid — 1; 

16: else 

17: low = mid + 1; 

18: end if 


19: end while 
20: return l’; 


3.3 Algorithm to Select a FLIIC with a Given Cardinality 


Recall the previous introduction in subsection we know that an SCP can 
be completely converted into a MILP problem, hence it can be solved by MILP 
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solvers. In this subsection, we introduce a MILP-based algorithm to build a 
FLUC from a given candidate set and provide a parameter to determine its 
cardinality, please refer to Algorithm [3] for more details. 


Algorithm 3 SelectIneq(£L, N): Algorithm of selecting the FLIIC of a given 
cardinality N 


Input: A given candidate set £ = {Lili = 0,--- n — 1} and a given integer N. 
Output: A FLIIC whose cardinality is N. 

1: U = {u0,: +- ,ux—1} < the infeasible points of £; 

2: for i = 0 to n — 1 do 

3 U; < the infeasible points of Li; 

4: end for 

5: Declare an empty MILP mode M; 

6: M.Var + zi € {0,1}, ¿= 0,- ,n— 1; 

7: for i = 0 to k — 1 do 

8 


: M.Con + aozo + 4121 +++: +@n-12n-1 > 1, if u; E€ Uj then a; = 1, else aj = 0; 
9: end for 

10: M.Optimize(); 

11: if M is infeasible then 

12: return INFEASIBLE; 

13: else 

14: return L’ = {Lz,|z; = 1 in the solution of M}; 

15: end if 


Algorithm |3| constructs a FLIIC with a given cardinality N by solving a 
MILP model without an objective function. Moreover, by adding an objective 
function to minimize the number of selected inequalities, a FLIIC with the min- 
imal cardinality can be obtained. The same goal can be achieved by iterating 
N incrementally from 0 and solving SelectIneq(L, N) until it is feasible for the 
first time. 


4 Experimentally Based Observations of the Effects of 
the Norm and Cardinality 


In this section, based on the idea of the control variable method, we construct a 
large number of samples for automatic search models, and explore the effect of 
the norm and cardinality through the experimental results. 

In specific experiments, we keep the overall framework of the automated 
search model unchanged and only replace the FLIIC of basic components such as 
S-boxes to achieve the purpose of controlling variables. The relationship between 
the two target parameters and the solving efficiency of the model is investigated 
by using FLIICs with different norms and cardinalities. 
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4.1 The Setting of Controling Variables 


To explore the influence of the norm and cardinality on the runtime of MILP 
models, models with different norms/cardinalities are generated by construct- 
ing FLIICs of S-boxes with different norms/cardinalities in SPN block ciphers. 
Meanwhile, other details are kept the same in these models. 

For the norm, we first call Algorithm |2| to obtain a new FLIIC with the 
minimal norm from a given FLIIC and denote the model using this FLIIC as 
Test 0. Next, based on Observation [I] equivalent inequalities of the inequalities 
used in Test 0 with different norms are constructed by calling Algorithm [I] 

For the cardinality, we control it by setting different N in SelectIneq(L, N) 
which is introduced in Subsection [3.3] The candidate set £ stores inequalities to 
characterize a given S-box which can be generated by previous methods and is 
fixed for all N. First, the FLIIC with the minimal cardinality in the sense of £ 
is obtained for the Test 0 model. Then FLIICs with different cardinalities are 
constructed to characterize the given S-box. 


4.2 The Method of Generating Samples 


Our motivation is to conduct a large number of experiments to reflect statis- 
tical regularities. Since the background is the automatic search for differential 
trails, it is hard to carry out thousands of experiments based on practical ci- 
phers. To deal with this issue, many new examples without deviating from the 
actual application scenario are constructed. In our experiments, two kinds of 
automatic search models are considered: the search of the minimal number of 
differential active S-boxes and the search of impossible differential trails, for the 
cases with and without objective functions and denoted them by Type 0 and 
Type 1 respectively. 

For Type 0 tests, based on models of SPN structures, different S-layers and P- 
layers are combined to produce new samples. For the S-layer, we select different 
4-bit S-boxes used in block ciphers such as Present, Rectangle and Lillput. For 
the P-layer, we make small changes to the bit-permutation layers of existing 
ciphers, for example, by swapping two positions in the 64-bit bit-permutation 
layer of Present, ies) = 2016 new samples can be generated. 

For Type 1 tests, exhaustive search is adopted as the traditional search of 
impossible differential trails. More specifically, the input and output differences 
are fixed to determine whether the differential trail is feasible or not. For 64-bit 
block ciphers, when hamming weights of the input difference x and the output 
difference y are restricted to 1, i.e., wt(x) = wt(y) = 1, all possible combinations 
of them need to be exhausted, which means that 64 x 64 = 4096 new samples 
are constructed. 

Sufficient samples can be generated based on the above two types of experi- 
ments. Since these samples are abstracted from specific automated cryptanaly- 
ses, they can reflect the efficiency of solving models for automated cryptanalyses 
convictively. Besides, different rounds of automatic search also correspond to dif- 
ferent samples. Combined with the different modes of the norm and cardinality, 
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the experimental modes are denoted as (T;, Ri, N) and (T;, Ri, C) respectively, 
where T; means the Type i test, R; means the 7 rounds search, N and C represent 
the norm and cardinality respectively. 


4.3 Experimental Results and Discussion 


For each generated sample, we conduct 8 experiments for the two parameters 
mentioned above. In more detail, for norms, we investigate the minimal norm, 
50, 100, 500, 1000, 5000, 10000, and 50000, and denoted as Test 0, Test 1, 
---, Test 7, respectively. For example, Present(To, R3, N) Test 0 represents the 
model with the minimal norm which explores the effect of the norm for 3 round 
impossible differential search of samples with Present structure. For cardinalities, 
we investigated the minimal cardinality Nmin, Nmin + 10,- -- , Nmin + 70, and 
denoted as Test 0, Test 1, ---, Test 7 respectively. During the experiments, we 
record runtimes of each model for further statistical analysis. 

In the experiments for each sample, we design the following statistics based 
on the recorded runtime when different variables are adopted: 


— The number of Test 0 dominant samples (#Test 0 Dom): Among the experi- 
ments corresponding to each sample, if the runtime of Test 0 is the minimal, 
the sample is called Test 0 dominant. Similarly, %Test 0 Dom represents the 
percentage of samples that are Test 0 dominant; 

— The mean of the best tests (BT Mean): Among the experiments of each 
sample, denote i as the best test if the runtime of Test 7 is the minimal, then 
the mean of the best tests reflects the approximate sequence number of the 
test which may lead to the minimal runtime; 

— The optimal choice (Opt Choice): If the number of samples with the minimal 
runtime is the maximum under Test i for the current set of samples, then i 
is denoted as the optimal choice. 


Since we pay more attention to the effect of the minimal norm and cardinality 
on the improvement of solution efficiency, ##Test 0 Dom is designed to investigate 
the advantages of the minimal norm/cardinality. Meanwhile, if BT Mean is close 
to 0, it means that the smaller the norm/cardinality, the better the acceleration 
effect. The Opt Choice provides the best choice of the norm and cardinality 
in the overall consideration. Even if sometimes the percentage of samples that 
reach the minimal runtime under this choice is not exceptionally high, it still 
guarantees that there is no better choice. 

See the detailed results of experiments in Table[3] Moreover, we also construct 
several automated search models for some lightweight block ciphers and draw 
bar charts for their runtimes, see Figure [I] and Figure B} 

Due to the small sample size, rules are unclear in Figure [I] and Figure 
Even in this case, it can be seen that the FLIIC with the minimal norm and the 
minimal cardinality is a good choice, although there are some counter-examples. 
Indeed, sometimes it is hard to determine which choice is the best in advance for 
a model. However, according to a large amount of experimental data in Table[3] 
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Table 3. The experimental result of automated search models with different 
norms/cardinalities 


Test #Samples|#Test 0 Dom|%Test 0 Dom|BT Mean|Opt Choice 

Present (To, R3, N) 6051 3280 54.2% 1.97 0 
Present(TJo, R3, C) 6051 4655 76.93% 0.32 0 
Rectangle(To, R3, N) 6051 3538 58.4% 1.77 0 
Rectangle(To, R3, C) 6051 4995 82.5% 0.18 0 
Present(T1, R20, N) 4096 3517 85.86% 0.51 0 
Present(7, Ros, N) 4096 3359 82.01% 0.74 0 
Present(71, R30, N) 4096 3438 83.94% 0.58 0 
Present(71, R20, C) 4096 3978 97.12% 0.04 0 
Present (Tı, R25, C) 4096 3837 93.68% 0.08 0 
Present(T1, R30, C) 4096 3747 91.48% 0.12 0 
Rectangle(T1, R20, N)| 4096 4076 99.51% 0.02 0 
Rectangle(T1, R25, N)| 4096 4084 99.71% 0.02 0 
Rectangle(T1, R30, N)| 4096 4075 99.49% 0.02 0 
Rectangle(T1, R20,C)| 4096 4096 100.00% 0 0 
Rectangle(Ti, R25,C)| 4096 4096 100.00% 0 0 
Rectangle(Ti, R30,C)| 4096 4096 100.00% 0 0 
Total 73356 62867 85.70% - 0 
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Fig. 1. Influence of the norm on the runtime 
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Fig. 2. Influence of the cardinality on the runtime 


it is a better choice to use the FLIIC with the minimal norm and the minimal 
cardinality in most cases. 
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